Link Aggregation

FR4X

Hello,

What's the best practice while configuring a port-channel between a firewall stack and a switch?

I have a 2 member firewall stack (active/passive) and I'm using 2 ports from each firewall (4 total) to connect to a core switch. I seem to be all set on the firewall side but what should I do on the switch side? Bundle the 4 ports on the switch into 1 group or create 1 group for the primary firewall ports and another for the secondary firewall ports?

I already tried creating 1 group for the 4 ports and LACP blocks 2 of them, unfortunately it doesn't always block the secondary firewall (passive) ports, it blocked the primary ports a few times while testing. I guess I would have to do some LACP tweaking to make sure it always blocks the secondary ports?

I also tried doing 2 LAG groups, one for the primary ports and one for the secondary ports. This seems to work better than the 1 group, with this configuration both groups are up on the switch side but only the primary firewall ports are passing traffic since the other one is passive. In case of primary firewall failure, the secondary ports would start passing traffic and that should be fine.

I know both ways work, although one better than the other in my opinion, but I'm looking for the best option. I'm very sorry for the long read and any help would be really appreciated.

MarkD

I would review the limitations on the firewall platform you are using for HA, and if you are running active/passive or active/active

here are some resources

https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-0-0-0-high_availability/Content/Topics/High_Availability/About_High_Availability/about.htm/

https://www.sonicwall.com/support/knowledge-base/how-to-configure-link-aggregation/170505763142649/

https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7-0-0-0-system/Content/Interfaces/interfaces-link-aggregation-port-config.htm/